Buyer's Handbook:

How to make a SIEM system comparison before you buy

Article 1 of 2

Share this item with your network:

BACKGROUND IMAGE: matejmo/iStock

A SIEM system with machine learning theoretically can improve itself

Organizations can gain several kinds of benefits from using a SIEM system, but one that's particularly intriguing is the ability to significantly improve the accuracy and speed of incident detection. To be effective, SIEM must use a combination of several analysis and detection techniques, each of which is best suited to finding certain types of incidents. Examples of technique categories include signature-based, anomaly-based, behavior-based and statistical-based.

Understandably, security information and event management (SIEM) vendors don't want to reveal the details of their data analysis and incident detection techniques; thus, there's no easy way to compare how well each system works and quickly identify the best SIEM system for a given company. The current trend is to promote machine learning as the answer to improving analysis and detection accuracy and speed. Machine learning involves computers being capable of making decisions without people specifically instructing them on how to do that. A SIEM system using machine learning should, theoretically, be able to improve itself over time as it receives and analyzes more data.

Unfortunately, machine learning principles are extremely hard for security technologies to adopt. Machine learning flourishes in many other areas of our lives because, in those, it's clear what is "good" and what is "bad." That's not true for security data analysis and incident detection; even the best human experts may not be sure if a particular event or series of events is benign or malicious.

In order for a SIEM tool to improve itself using machine learning, humans must be involved on an ongoing basis. They must take the time to educate the SIEM system on which events are good and which are bad, correcting any mistakes the system initially makes. Even with that, current machine learning capabilities aren't highly effective because of the dynamic nature of technologies, threats, vulnerabilities and attacks. That doesn't mean you shouldn't look for SIEM systems that use machine learning, but rather that you shouldn't assume the use of machine learning necessarily means a significant improvement in analysis and detection capabilities.